Large-scale 1-1 NAT

From: Christopher Cowart <ccowart@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Sep 2007 00:25:17 -0700

Hello,

We're working on expanding our wireless network. Unfortunately, we're
running out of IP addresses (aren't we all). As much as I'd love to just
tell everyone to use IPv6, that isn't gonna fly. The next plan to
consider is using an RFC1918 pool and NATing the traffic.

If only it were that simple. The security folks have mandated that
anyone who can talk to the internet at large must be individually
indentifiable. This means having hundreds of users NATing to a single
internet-routable IP isn't happening.

I want to try a setup in which we have a big RFC1918 pool of addresses,
say 10.8/16. In their initial state, these hosts might NAT to a single
public IP and perform some transparent proxying to get them to an
authentication page. The firewall on our NAT box would be extremely
restrictive for these clients.

When a user authenticates, we will allocate a single public IP for the
session. At this time, our code would use ipfw to move the user into a
different lookup table and also update the NAT table.

The real question is: what's the best way to dynamically update the NAT
table?

It doesn't look like there's any way to have a running natd update its
configuration without restarting. That's obviously disruptive.

I also doubt it's a good idea to try to launch a single natd process per
authenticated client. We have a /22 and a /23 in our public pools, and
we expect to max that out (1500+ clients).

Has anyone attempted a setup like this? Do you have any pointers for
designing this to scale well? We are planning on throwing hardware at
it, but that only gets us so far.

Thanks for your help,

--
Chris Cowart
Lead Systems Administrator
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Attachment: pgpOQjSH4ZfmD.pgp
Description: PGP signature

Follow-Ups:
- Re: Large-scale 1-1 NAT
  - From: Julian Elischer
- Re: Large-scale 1-1 NAT
  - From: Cristian KLEIN

Prev by Date: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2
Next by Date: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2
Previous by thread: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2
Next by thread: Re: Large-scale 1-1 NAT
Index(es):
- Date
- Thread

Relevant Pages

Re: Large-scale 1-1 NAT
... these hosts might NAT to a single ... authentication page. ... we expect to max that out (1500+ clients). ... I suggest you find out if that is the only solution your security people ...
(freebsd-net)
Re: IAS/RADIUS error on some XPsp2 clients
... authenticate to a wireless network. ... All clients are XP sp2. ... Reason = The Remote Authentication Dial-In User Service request ... This in turn was due to my local CA root cert not being properly installed on the client (which it should have been, it's pushed to the clients by group policy. ...
(microsoft.public.windowsxp.network_web)
Re: Win2k Internet Connection Sharing: How does it work
... > How does Win2k Internet connection sharing work? ... It doesn't give Clients anything for that matter. ... NAT" or "Port Forwarding" or even a combination of the two. ...
(microsoft.public.win2000.general)
Re: Win2k Internet Connection Sharing: How does it work
... > How does Win2k Internet connection sharing work? ... It doesn't give Clients anything for that matter. ... NAT" or "Port Forwarding" or even a combination of the two. ...
(microsoft.public.win2000.networking)
Re: IPSEC VPN NAT
... So I cannot pre-configure the Clients for differnet ... ISA/VPN and try to reproduce the setup, ... NAT Traversal ... There are a number of problems with using IPsec over NAT devices. ...
(microsoft.public.isaserver)